The present invention relates in general to client/server data communication systems and more particularly, the present invention is directed towards a method and apparatus that automatically provides protection against a potential DoS attack.
Computer systems are well known in the art and have become a business staple and are also found in many homes. One feature available to the business world is that of using electronic mailing (e-mail) to send and receive messages and other information to and from one another in a business setting. Similarly, home computers, such as desk tops or laptops, and other information devices, such as personal digital assistants (PDAs), allow telecommuting such that a user can connect to the user""s work server and down load and upload messages.
The e-mail system allows clients of a network system, which is maintained by a server system, to send messages or data from one user to another. In order to minimize disk space and requirements as well as to maximize functionality and consistency of the electronic mailing engine used in the network system, the engine is typically located on the server and is merely accessed by a client in order to send messages or retrieve messages to or from another user or client on the server system. In this way, the client system typically allows the user to perform such operations as composing, updating, and sending messages while the server in such a system provides, in part, a server based message repository as well as providing message transmission and reception functions for the user at the client level.
One such email system is described with reference to FIG. 1 showing a messaging system 100 suitable for large, distributed networks such as the Internet or large scale intranet systems. The system 100 typically includes a central server 102 resident in a computer system 104 that can take the form of a mainframe system as well as a distributed type computing system. When the system 100 is a messaging system, such as an email system, the central server 102, as the central email server, is coupled to an interface, such as a firewall 106, that mediates the flow of information between the mail server 102 and its n clients represented as client 108, client 110, and client 112. Typically, when the client 108, for example, desires to establish a channel to the server 102, the client 108 will generate a request to open a connection to the mail server 102 by any one of a variety of transports and protocols that are submitted directly by the requesting client 108, via, for example, TCP/IP as an SMTP message from an Internet system. Such a connection request can be submitted by using a dial-up modem using the PhoneNet protocol, DECnet as a MAIL-11 message, DECnet as an SMTP message, UUCP, an X.400 transport, SNA, and so on. For instance, at sites with an Internet connection, Internet addresses are normally routed through an SMTP over TCP/IP channel, however, at sites with only a UUCP connection, Internet addresses would instead be routed through a UUCP channel.
Once the connection request has been accepted, a channel is open between the requesting client 108 and the server computer 102 allowing for the transfer of data. In some cases, however, the requesting client 108 can, either intentionally or unintentionally, disrupt the operations of the server 102 by generating a large number of connection requests within a relatively short length of time (i.e., connection request rate). A denial of service (DoS) attack has been defined as those situations where a high connection request rate has been intentionally initiated by, what would be in this case, an attacker having the intent to disrupt, or even, halt the operations of the server 102 by forcing the server 102 to allocate resources to the processing of the multitude of requests.
More specifically, a denial of service attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services. In the worst cases, for example, a Web site accessed by millions of people can occasionally be forced to temporarily cease operation. A denial of service attack can also destroy programming and files in a computer system.
A conventional approach to defending against such DoS attacks is based upon the concept of determining the identification of a potential attacker by monitoring a connection request rate for each requesting client. A requesting client whose connection request rate is higher than a pre-determined threshold is identified as an attacker and is blocked accordingly.
Unfortunately, however, even though using the conventional DoS defense stratagem has the potential to thwart the DoS attack, there are several problems with this approach. One such problem is the fact that the attacker has now been notified that the attack has been discovered and all that is now required to resume the attack is for the attacker to change locations. This process of identifying, blocking, and changing location can be repeated ad infinitum requiring a substantial amount of server processing resources anyway. Another problem with this approach is that in some cases a legitimate requesting client can have a short term burst of connection requests without being an attack. By cutting off these legitimate xe2x80x9cburstxe2x80x9d clients, substantial economic costs can be incurred, not the least of which, is loss of revenue due to lost sales, etc.
Therefore, it would be desirable to have an improved method and apparatus for preventing a DoS attack.
To achieve the foregoing, and in accordance with the purpose of the present invention, method, apparatus, and computer readable medium for preventing a DoS attack without notifying the DoS attacker are disclosed. In one embodiment, in a client/server environment, a method for preventing a denial of service (DoS) attack by a requesting client on a server computer is described. A connection request at a time tn in a throttling interval m is received and if the time tn is not at a beginning of the throttling interval m then an interval m connection request count is incremented. If the interval m connection request count is determined to be greater than a rejection threshold associated with the requesting client then the connection request is rejected. If, however, it is determined that the interval m connection request count is not greater than the rejection threshold then the server computer waits an interval m wait time before accepting the request.
In another embodiment of the invention an apparatus for defending against a DoS attack is described. The apparatus includes a connection request receiver unit for receiving a connection request at a time tn in a throttling interval m from the requesting client, an incrementing unit coupled to the connection request receiver unit for incrementing an interval m connection request count when the time tn is not at a beginning of the throttling interval m. The apparatus also includes a processor unit coupled to the interval m connection request count buffer arrainged to determine if the interval m connection request count is greater than a rejection threshold associated with the requesting client and a request throttler unit coupled to the processor unit arrainged to reject the connection request when it is determined that the interval m connection request count is greater than the rejection threshold, and wait an interval m wait time when it is determined that the interval m connection request count is not greater than the rejection threshold before the request is accepted by the server computer.
In another embodiment of the invention, computer readable media including computer program code for preventing a denial of service (DoS) attack by a requesting client on a server computer is disclosed. The computer readable medium includes computer program code for receiving a connection request at a time tn in a throttling interval m, computer program code for incrementing an interval m connection request count if the time tn is not at a beginning of the throttling interval m, and computer program code for determining if the interval m connection request count is greater than a rejection threshold associated with the requesting client. The computer readable medium also includes computer program code for rejecting the connection request if it is determined that the interval m connection request count is greater than the rejection threshold, computer program code for waiting an interval m wait time if it is determined that the interval m connection request count is not greater than the rejection threshold, and computer program code for accepting the request by the server computer.